Loca%ng Prefix Hijackers using LOCK Tongqing Qiu + , Lusheng Ji * , Dan Pei * Jia Wang * , Jun (Jim) Xu + , Hitesh Ballani ++ + College of Compu%ng, Georgia Tech * AT&T Lab – Research ++ Department of Computer Science, Cornell University 1
Outline • Background & Mo%va%on • System Architecture • Basic algorithm and improvements • Evalua%on • Conclusion 2
Background AS Path: CBE CBE or CDE? • Autonomous AS Path: DE System (AS) AS C AS D • Border Gateway Protocol (BGP) AS Path: BE AS B AS E • Profit‐driven I own prefix p! policy AS A Peer‐Peer AS Path: ABE Customer‐provider AS update message 3
Background (cont.) AS Path: CBA AS Path: CBE • BGP lacks AS C AS D authen%ca%on • Fabricated AS announcement AS B AS Path: BA AS E p • Prefix hijacking blackholing • AS A Peer‐Peer imposture • Customer‐provider I own prefix p! intercep%on • AS update message 4 4
State of Art • Proac%ve – Prevent the happenings of hijacks • e.g. [Kent et al. JSAC 00] [Aiello et al. CCS 03], [Subramanian et al. NSDI 04], [Karlin et al. ICNP 06], etc. – Deployment issues: • Rou%ng infrastructure modifica%on • Difficul%es of incremental deployment • PKI requirement • Reac%ve – Detec%on • e.g. [Lad et al. Usenix Secuirty 06], [ Ballani et al. Sigcomm 07], [ Zheng et al. Sigcomm 07], [Hu et al. IEEE S&P 07], [ Zhang et al. Sigcomm 08 ], etc. – Recovery • e.g. [ Zhang et al. CoNext 07] 5
A Complete and Automated Solu%on? Detect Locate Recover • Loca%ng is important – Provide key informa%on for recovery/mi%ga%on • Loca%ng is not trivial CBA C D CBAE – Current prac%ce • Inden%fy newly appeared BAE BA B E origin AS of prefix p p A announce AE 6
System Architecture of LOCK Input: Target prefix p AS C AS D AS B AS E p AS A Peer‐Peer Customer‐provider Output: A is the hijacker! 7
Key Components of LOCK • Monitor Selec%on (from candidates) – Maximize the likelihood of observing hijacking events on the target prefix – Maximize the diversity of paths from monitors to the target prefix • Loca%ng Scheme – Using AS path informa%on – Infer the hijacker loca%on (how?) 8
Two key observa%ons • Countermeasure ability – The hijacker cannot manipulate the por%on of AS path from a polluted vantage point to the upstream neighbor AS of the hijacker AS H AH X AX M1 A H X BH X H BX M2 B Y Z T M3 C D T owns prefix p 9
Two key observa%ons • Convergence: The trustworthy por%on of polluted AS paths from mul%ple vantage points to a hijacked vic%m AS prefix converge around the hijacker AS (based on real AS topology). converge at H H AH M1 A X AX converge at X? X H H BH X M2 BX B Y Z T M3 C D p 10
Basic Loca%ng Algorithm • Inden%fying hijacker search space – Neighborset of one AS : ASes one‐hop away (include itself) – Based on exis%ng AS topology – The union of neighborset of all ASes on all polluted paths (why?) – The hijacker should be in the space (based on observa%on 1) • Ranking all ASes in the search space – Based on observa%on 2 – The more frequently an AS appears, the higher its ranking is – Tie breaker: The closer an AS to the monitors, the higher its ranking is 11
Basic Loca%ng Algorithm Example X AX M1 A X X H BX M2 B Y Z T M3 C D p Monitors Polluted AS PATH Neighbor Set Hijacker List M1 A X (A H) ( H X Y) H > ( 4 %mes) X > Y > (2 %mes) M2 B X (B H C) (H X Y) A = B > C (once) 12
Improvements • Search space of basic algorithm – Trim the suspect list • Improvement I: AS rela%onship – Basic algorithm neighborset – Valley free – Trim the neighorset on “trustworthy” ASes • Improvement II: excluding “innocent” ASes • Two improvements may introduce false nega%ve 13
Evalua%on • Three sets of experiments: – Simula%ng synthe%c prefix hijacking events – Reconstructed previous known hijacking events – Real prefix hijacking events 14
Simula%ng Synthe%c Prefix Hijacking Events • Hijacker h and source s from 73 Planetlab nodes – hup://www.planet‐lab.org/ • 451 Target prefix t – Mul%ple Origin ASes (MOAS) prefix – Single Origin Ases with large traffic – Popular website (based on Alexa ranking) • Emulate all possible hijacking events – Based on the combina%on of ( s, h, t ) – Imposture, intercep%on, and malicious (countermeasure) cases • Monitor selec%on – From Planetlab nodes – Based on the target prefix 15
Effec%veness and Improvement • The accuracy of basic algorithm is 85%+ • Combine both improvements, the accuracy is up to 94.3% • False nega%ve ra%o is rela%vely low. 16
Reconstruct Previously‐known Hijacking Events 7 hijacking events Locate all hijackers 17
Real Hijacking Events Internet Prefix: 204.9.168.0/22 Cornell Seaule vic%m Berkeley Piusburgh hijacker 18
Real Hijacking Events (cont.) 19
Conclusion • LOCK to locate prefix hijacker ASes – First study of hijacker loca%on problem – Locate the hijacker even when countermeasures are engaged – Extensively evalua%on illustrates high loca%on accuracy 20
Acknowledgement • Authors Tongqing Qiu and Jun (Jim) Xu would like to acknowledge the generous support from the NSF CyberTrust program (specifically CNS 0716423) 21
• Thanks You! • Ques%ons 22
Recommend
More recommend
